File wireshark-0107-CVE-2025-13946.patch of Package wireshark.41978

commit e4f3706e1bb9ea0cc710193762be9ab36c18d207
Author: Anders Broman <anders.broman@ericsson.com>
Date:   Mon Dec 1 08:41:55 2025 +0100

    MEGACO: Handle tvb_get_uint8 returning -1
    
    When dissecting a media descriptor, handle tvb_get_uint8 returning
    -1 when searching for a left or right bracket and not finding it
    by setting the bracket offset to the end offset so that the loop
    will exit. Leaving it at -1 can cause going backwards and at worst
    infinite loops.
    
    Fix #20884
    
    
    (cherry picked from commit aba1fbe6266beb6bf9b887b6eab008e4f4841c9b)
    
    Co-authored-by: John Thacker <johnthacker@gmail.com>

diff --git a/epan/dissectors/packet-megaco.c b/epan/dissectors/packet-megaco.c
index 011e3398f2..42b606f512 100644
--- a/epan/dissectors/packet-megaco.c
+++ b/epan/dissectors/packet-megaco.c
@@ -1772,8 +1772,15 @@ dissect_megaco_mediadescriptor(tvbuff_t *tvb, proto_tree *megaco_tree_command_li
         mediaParm = find_megaco_mediaParm_names(tvb, tvb_current_offset, tokenlen);
 
         tvb_LBRKT = tvb_find_guint8(tvb, tvb_next_offset , tvb_last_RBRKT, '{');
-        tvb_next_offset = tvb_find_guint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
-        tvb_RBRKT = tvb_next_offset;
+        if (tvb_LBRKT == -1) {
+            // Not found, use the end offset.
+            tvb_LBRKT = tvb_last_RBRKT;
+        }
+        tvb_RBRKT = tvb_find_guint8(tvb, tvb_current_offset+1 , tvb_last_RBRKT, '}');
+        if (tvb_RBRKT == -1) {
+            // Not found, use the end offset.
+            tvb_RBRKT = tvb_last_RBRKT;
+        }
 
         switch ( mediaParm ){
         case MEGACO_LOCAL_TOKEN: